Dear Mates,
We would like to use the "indicators" option in Threat Prevention policy and create an External IOC feed object pointing to a file with IP addresses only, one per line.
In specific, we would like to use Talos IP blacklist, for a start ( http://www.talosintelligence.com/documents/ip-blacklist )
First of all, I would like to ask if this is possible through Smartconsole. Documentation mentions that feeds which do not match Checkpoint's format, cannot be used in Smartconsole.
Secondly, if the above is possible, is there any documentation on how to fill up the "Custom feed settings"? In our case with an IP address file, I assume that we choose "type: IP address" on the dropdown menu and leave the "ignore lines that start with:" and "fields delimeter:" fields as blank.
What about the "Fields to column number mappings" section? "Value:" field cannot be empty. I guess that since I have "one column" in the file, shall I use "1" in that field?
Please be also informed of the versions in our environment.
Management server: R81.10, jhf 30
Security gateways: R80.30, most in jhf 237
Thank you in advance!
Best Regards
We have R81.10 GWs and Management and Custom Feeds work also with only IP Addresses!
BUT we have issues with this specific Talos Feed because http://www.talosintelligence.com/documents/ip-blacklist forwards to https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/023/722/original/ip_filt...
In the ioc_feed.elg it shows
Cisco_Talos_Feed: Failed to fetch feed. Resource: http://www.talosintelligence.com/documents/ip-blacklist, Reason: Peer certificate cannot be authenticated with given CA certificates
Any ideas how to solve this?
KR,
David
are you sure that it is working?
try to search in logs "ioc" and verify that you do not have this error:
also, try to verify if IPs are correctly enforced; i guess that we should see all relevant IPs in the output of the command fwaccel dos stats get.
Am i correct? @PhoneBoy
this is true for me for list with only IPs (not domains, not sha1 etc.); anyway, here another question... IoC are only for AV/AB use, but i can see IPs (Cisco Talos) also under fwaccel dos stats get like i mentioned....so it should work also at FW blade level... very confusing
| User | Count |
|---|---|
| 4 | |
| 3 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
Mon 25 Nov 2024 @ 02:00 PM (EST)
(Americas) AI Series Part 3: Maximizing AI to Drive Growth and EfficiencyTue 26 Nov 2024 @ 10:00 AM (CET)
EMEA Session: Automated Collaborative Prevention with 3rd Party Endpoint SolutionsTue 26 Nov 2024 @ 03:00 PM (CET)
Navigating NIS2: Practical Steps for Aligning Security and ComplianceTue 26 Nov 2024 @ 05:00 PM (CET)
Discover the Future of Cyber Security: What’s New in Check Point’s Quantum R82Tue 03 Dec 2024 @ 10:00 AM (GMT)
UK Community CNAPP Training Day 1: Cloud Risk Management WorkshopTue 03 Dec 2024 @ 05:00 PM (CET)
Americas CM Session: Automated Collaborative Prevention with 3rd Party Endpoint SolutionsMon 25 Nov 2024 @ 02:00 PM (EST)
(Americas) AI Series Part 3: Maximizing AI to Drive Growth and EfficiencyTue 26 Nov 2024 @ 10:00 AM (CET)
EMEA Session: Automated Collaborative Prevention with 3rd Party Endpoint SolutionsTue 26 Nov 2024 @ 03:00 PM (CET)
Navigating NIS2: Practical Steps for Aligning Security and ComplianceTue 26 Nov 2024 @ 05:00 PM (CET)
Discover the Future of Cyber Security: What’s New in Check Point’s Quantum R82Tue 03 Dec 2024 @ 05:00 PM (CET)
Americas CM Session: Automated Collaborative Prevention with 3rd Party Endpoint SolutionsTue 03 Dec 2024 @ 10:00 AM (GMT)
UK Community CNAPP Training Day 1: Cloud Risk Management WorkshopWed 04 Dec 2024 @ 10:00 AM (GMT)
UK Community CNAPP Training Day 2: Cloud Risk Management Workshop
